⚠ Draft pending legal review. This document describes how the product handles data today, written by the engineering team based on the actual data flows in the code. It has not been reviewed by counsel. Do not rely on it as legally binding language; if you need a binding privacy commitment, ask your advisor at Passport to Wealth before proceeding.
Passport to Wealth Finance Clarity is a tool that builds a private financial dashboard on your own computer from your own files. The default mode is local-only. This page describes what little information leaves your computer when you use the tool, and what we deliberately do not collect.
1. What stays on your computer
The default mode is local processing. Specifically:
Your source files (bank statements, payslips, tax documents, anything you drop into the workspace inbox) live in ~/Documents/my-finances/ on Mac or %USERPROFILE%\Documents\my-finances\ on Windows. The pipeline scripts (classify, normalize, categorize, build_site, etc.) run locally on your machine and never upload these files anywhere.
One important nuance: if you explicitly ask the AI assistant to read a specific file (for example: "tell me about this paystub" or "summarize my Q3 statement"), the contents of that file are sent to Anthropic's API as part of your Claude conversation. That data flow is governed by your Anthropic account's data policy, not by us. We never see it. We have no API access to your conversation. The default skill flow does not ask Claude to read source files; it processes them with local Python scripts, so this only happens when you explicitly request it.
The categorized transactions and rendered dashboard are produced locally and opened locally in your browser via a file:// URL. No third-party server is contacted to render them.
Your AI assistant credentials (Claude Pro/Max session or Anthropic API key) are stored locally by Anthropic's tools, governed by Anthropic's privacy policy. We don't see them.
Categorization rules and local config (rules.yaml, config.yaml) are yours to edit and never transmitted.
2. What we collect
Three narrowly-scoped categories, each with a clear purpose:
Anonymous install-start counters. When the install script runs, it sends a single tiny event to a Cloudflare Worker we operate: {"v": 1, "event": "install_started", "platform": "mac" or "win", "build_stamp": "<UTC timestamp>", "advisor_id": "passporttowealth"}. That's the entire payload. The Worker increments a daily per-platform counter in a key-value store. Used to size onboarding capacity. Opt out by setting the environment variable FCB_NO_ANALYTICS=1 before running the install command.
Feedback events you explicitly send. If you click "I have feedback" inside your dashboard and write a message, it's POSTed to the same Cloudflare Worker, which creates a GitHub issue under passporttowealth/passporttowealth. The body of the issue contains: your message, your client ID (set by your advisor at install time), the skill version, the platform, and a timestamp. It does not contain transactions, file paths, or the workspace contents — only what the message itself includes.
Your dashboard, if you choose to share it. If you tell the assistant "share my dashboard," the publish flow uploads the rendered site/ directory to a private URL on the here.now publishing host, gated by a passcode the skill generates. The uploaded bundle includes: the rendered HTML, the categorized transactions (in JSON embedded in the page and in CSV exports under downloads/), and aggregate summaries. It does not include the original source files (PDFs, statements). This is opt-in per dashboard; if you never share, nothing is uploaded.
3. What we explicitly do not collect
Your IP address. The Cloudflare Worker that receives the install ping and feedback events does not read the cf-connecting-ip header. (Verified by source: cloudflare-worker/src/index.js.)
Your user-agent string.
Your name, email, machine identifier, or any field that could re-identify you. The install ping carries platform + timestamp + advisor_id; nothing else.
Cloudflare logs of the request body. Worker observability is explicitly turned off in wrangler.toml so requests don't sit in Cloudflare's own logs.
Analytics. There are no third-party analytics scripts on this landing page or the published dashboards. No Google Analytics, no Mixpanel, no Segment, no anything.
Telemetry on individual pipeline runs. The skill does not phone home when you run "build my report" or "refresh." Errors are written to a local file you control; transmission of error envelopes to your advisor is opt-in and user-triggered.
4. Third parties we rely on
Each of these is governed by their own privacy policy, which applies in addition to this one:
Cloudflare — operates the Worker that receives install pings and feedback events. Cloudflare Privacy Policy.
here.now — operates the publishing host that serves your shared dashboards. Only contacted if you choose to publish. here.now Privacy Policy.
GitHub (Microsoft) — hosts the source code, receives feedback issues you create, and serves a backup mirror of this landing page. GitHub Privacy Statement.
Anthropic — operates Claude, the AI assistant the skill runs on. You sign in with your own Claude account; we don't see your conversations. Anthropic Privacy Policy.
5. How long we keep things
Daily install counters are kept for 90 days then auto-expire (configured via Cloudflare KV TTL).
Feedback events become GitHub issues, which persist according to GitHub's normal issue lifetime — until manually closed and deleted.
Published dashboards persist on the here.now slug until you (or your advisor) explicitly delete them. Use delete-my-site.command from the workspace to take down a site.
Local files in ~/Documents/my-finances/ persist until you delete them. We don't auto-clean anything.
6. Your rights and controls
Opt out of install telemetry by setting FCB_NO_ANALYTICS=1 before running the install command.
Delete a published dashboard via delete-my-site.command in your workspace.
Delete your workspace by removing the ~/Documents/my-finances/ folder (Mac) or %USERPROFILE%\Documents\my-finances\ (Windows). Nothing on our side persists about your local data, so deleting the folder is sufficient.
Request deletion of a feedback event by replying to the GitHub issue or contacting the address below.
7. Children
This product is intended for adults managing their own finances or working with a financial advisor. We do not knowingly collect data from anyone under 18.
8. Changes to this policy
If material changes occur (e.g., a new sub-processor, a new data category collected), we will update this page and update the version above. Substantive changes will be noted in the project's CHANGELOG.